CoinPort Pty Ltd
Privacy & Data Protection Policy
Document Number: CP-COMP-004
Version: 2.1
Effective Date: 23-Mar-2025
Review Date: 23-Mar-2026

1.0 POLICY STATEMENT

CoinPort Pty Ltd is committed to protecting the privacy and confidentiality of the personal information of our clients, employees, and other stakeholders. We recognise our obligations under the Privacy Act 1988 (Cth) (the Privacy Act), including the Australian Privacy Principles (APPs), and our specific obligations as an Australian Financial Services Licensee and an AUSTRAC-regulated reporting entity. This policy governs the collection, use, disclosure, storage, security, and disposal of all personal information we hold.

2.0 PURPOSE & SCOPE

This policy applies to all employees, contractors, directors, and third-party service providers who handle personal information on behalf of CoinPort. It outlines our procedures to ensure compliance with Australian privacy law and to maintain the trust placed in us by our clients.

3.0 DEFINITIONS

  • Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not. For CoinPort, this includes, but is not limited to: name, address, date of birth, contact details, government identifiers (e.g., passport, driver’s licence), tax file number, financial information, transaction history, digital wallet addresses, and Know Your Customer (KYC) verification data.
  • Sensitive Information: A subset of personal information afforded higher protection, including racial or ethnic origin, political opinions, religious beliefs, biometric data (used for identification), and health information. CoinPort generally does not collect sensitive information unless required by law (e.g., specific identity verification checks).
  • APP Entity: An organisation or agency to which the APPs apply. CoinPort is an APP Entity.

4.0 PRINCIPLES & PROCEDURES: COLLECTION, USE & DISCLOSURE

4.1 Collection of Personal Information

  • Lawful & Fair Means: We only collect personal information necessary for our functions and activities as a cryptocurrency exchange, primarily to:
    • Verify identity under AML/CTF laws.
    • Provide our financial services.
    • Assess and manage risk.
    • Comply with legal and regulatory obligations.
  • Notice (APP 5): At or before the time of collection, we provide individuals with a Privacy Collection Notice. This notice is integrated into our account opening process and website privacy policy, and outlines:
    • Our identity and contact details.
    • The purposes of collection.
    • who we may disclose information to (e.g., regulators, third-party verification providers).
    • How to access and correct their information.
    • The consequences if information is not provided.
  • Solicited Information: We only collect personal information directly from the individual unless it is unreasonable or impracticable to do so (e.g., third-party identity verification services where authorised by law).

4.2 Use & Disclosure of Personal Information

  • Primary Purpose: Personal information will only be used or disclosed for the primary purpose for which it was collected, or for a directly related secondary purpose the individual would reasonably expect.
  • Secondary Use (Marketing): We will not use personal information for direct marketing unless we have consent or provide a simple opt-out mechanism.
  • Regulatory Disclosures: We disclose personal information to government and regulatory bodies as required by law, including but not limited to:
    • AUSTRAC for Suspicious Matter Reports (SMRs) and other compliance reporting.
    • ASIC and other law enforcement agencies under lawful requests (e.g., warrants, production notices).
  • Cross-Border Disclosure: Due to the global nature of cryptocurrency, some service providers (e.g., cloud hosting, specific analytics) may be located overseas. We will take reasonable steps to ensure overseas recipients comply with the APPs or are subject to a comparable privacy scheme, as required by APP 8. We disclose this in our Privacy Collection Notice.

5.0 DATA QUALITY, SECURITY & RETENTION

5.1 Data Quality (APP 10)

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up-to-date, and complete. This includes prompt updating of client records following a successful verification request.

5.2 Data Security (APP 11)

  • Obligation: We take active measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
  • Procedures: Security measures are detailed in our Cybersecurity Awareness Policy (CP-INFOSEC-002) and include:
    • Encryption of data at rest and in transit.
    • Access controls and the principle of least privilege.
    • Regular security assessments and penetration testing.
    • Secure development lifecycle for our platform.
    • Mandatory employee training on data handling.
  • Notifiable Data Breaches (NDB) Scheme: We have a documented Data Breach Response Plan. In the event of an eligible data breach likely to result in serious harm, we will notify the affected individual(s) and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

5.3 Data Retention & Destruction

  • We retain personal information for as long as necessary to fulfil the purposes for which it was collected, and to comply with our legal and regulatory obligations (e.g., AML/CTF Act requires retention for 7 years post-transaction/relationship end).
  • Once information is no longer required, we destroy or permanently de-identify it using secure methods that prevent recovery.

6.0 INDIVIDUAL RIGHTS & ACCESS

6.1 Access and Correction (APPs 12 & 13)

  • Individuals have the right to request access to their personal information we hold and to request corrections if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
  • Procedure for Handling Requests:
    1. All access or correction requests must be submitted in writing to the Privacy Officer at [[email protected]].
    2. We will verify the identity of the requestor.
    3. We will respond within a reasonable period (generally 30 days) and may charge a reasonable fee for providing access if the request is complex or voluminous.
    4. If we refuse a request, we will provide written reasons and information on how to complain.

6.2 Anonymity & Pseudonymity

Given our regulatory obligations, it is generally not possible for individuals to transact with us anonymously or using a pseudonym. We must identify and verify our clients.

7.0 ROLES & RESPONSIBILITIES

  • Privacy Officer: Designated senior officer (e.g., the Chief Compliance Officer) responsible for overseeing compliance with this policy, handling privacy enquiries, and managing breach responses.
  • All Employees & Contractors: Responsible for understanding and adhering to this policy in their daily activities. Mishandling of personal information is a disciplinary matter.
  • Third-Party Providers: Contracts with vendors who handle personal information must include appropriate privacy and data security clauses.

8.0 COMPLAINTS & ENQUIRIES

  • Individuals with complaints about our handling of their personal information should contact the Privacy Officer in the first instance.
  • We are committed to resolving complaints promptly and fairly. If unsatisfied, individuals may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

9.0 POLICY MANAGEMENT & TRAINING

  • This policy is reviewed annually or following significant regulatory change.
  • All new employees receive privacy training as part of their onboarding. Annual refresher training is mandatory.

Approvals:

Chief Executive Officer: Kent Kingsley Date: 23-Mar-2025

Chief Compliance Officer: PeterCooney Date: 23-Mar-2025

Privacy Officer Contact Details:
Email: [[email protected]]
Post: The Privacy Officer, CoinPort Pty Ltd, P.O. Box 6052, Melbourne 3004